Kroll Fraud Solutions Blog – A Dialogue on Data Security

This month, Connecticut Attorney General Richard Blumenthal announced that his office reached a settlement with health insurance company Health Net over their breach of sensitive patient data. The agreement resolves allegations that Health Net violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as well as state privacy protections. The Health Net breach dates back to May 2009, when the company lost a disk drive with PII and PHI for some 2 million patients. The company took more than what Blumenthal considered a reasonable amount of time to report the missing disk and notify affected individuals. Blumenthal alleged that the company delayed and otherwise failed to properly inform the state governing authorities.

A data breach can occur many ways. Even a data “warehouser,” who has implemented a policy to minimize data collection and retention while making necessary data accessible in a secure environment, may still be subject to a data breach. A data breach may still occur by accident or through malice even when a well written policy and procedure is adhered to seriously by computer users. Data is only as safe as the trustworthiness and reliability of the organization’s users.

Between the morning of May 1^st and the evening of May 2^nd, more than 13 inches of rain fell here in  Nashville. Flood waters invaded the city and surrounding communities to a degree never before experienced. Sadly, some of our co-workers suffered great property losses and are now dealing with complex aspects of recovery from this natural disaster.

In an effort to look for positive outcomes from this tragic event, today our team of Licensed Investigators shares insights culled from the experience of our colleagues in relation to matters of personally identifiable information (PII).

Prior to an emergency:

Ten tips for fax safety

As we discussed in the last two posts in this series, you can see how even mundane office equipment can pose a serious security risk. Part of the security battle here is simply understanding the issue, because the technology already exists to help you erase your fax or copier hard drive. So, are you safeguarding against what amounts to pure error?

As it turns out, there are several steps you and your staff can take to reduce the risk of misdirected faxes:

Going back to our April 30th blog post . . . Back when I was just starting to learn about id theft and protecting my PII, I applied for a Hollywood Video rental membership. The application asked for my Social Security number. I asked why they needed it; the clerk couldn’t tell me. I didn’t list it and I still obtained a membership. The store at which I applied is now closed and stories have appeared about the irresponsible disposable of the records by other stores. So, how happy am I now that I didn’t give that piece of PII on the application. I tell this to the students when we present the CSR program—be stingy with personal information.